b'     August 26, 2005\n\n\n\n\n Oversight Review\nQuality Control Review of Air Force Audit\nAgency\xe2\x80\x99s Special Access Program Audits\n(Report No. D-2005-6-009)\n\n\n\n\n                Department of Defense\n            Office of the Inspector General\n  Quality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of Defense\n  Inspector General at http://www.dodig.mil/audit/reports or contact the Office of Audit\n  Policy and Oversight at (703) 604-8760 or fax (703) 604-9808.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of Audit Policy and\n  Oversight at (703) 604-8760 or fax (703) 604-9808. Ideas and requests can also be mailed\n  to:\n\n                                         OAIG-APO\n                           Department of Defense Inspector General\n                             400 Army Navy Drive (Room 1015)\n                                 Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nAFAA          Air Force Audit Agency\nAIC           Auditor-In-Charge\nGAS           Government Auditing Standards\nNAS           Naval Audit Service\nPCIE          President\xe2\x80\x99s Council on Integrity and Efficiency\nSAP           Special Access Program\n\x0c\x0c\x0cAppendix A. Scope and Methodology\n\n        We limited our review to the adequacy of AFAA SAP auditors\xe2\x80\x99 compliance with\nquality policies, procedures, and standards. We judgmentally selected 3 SAP audits from\na universe of 27 formal reports issued by AFAA SAP auditors in FYs 2002, 2003, and\n2004, and tested each audit for compliance with the AFAA system of quality control.\nThe Naval Audit Service conducted a review of the AFAA internal quality control system\nfor non-SAP audits and/or attestation engagements and is issuing a separate report. The\nAssistant Inspector General for Audit Policy and Oversight will issue an overall opinion\nreport on the AFAA internal quality control system that will include the combined results\nof the reviews of SAP and non-SAP audits.\n\nIn performing our review, we considered the requirements of quality control standards\nand other auditing standards contained in the 2003 Revision of the Government Auditing\nStandards (GAS) issued by the Comptroller General of the United States. GAS 3.52\nstates:\n\n      The external peer review should determine whether, during the period under\n      review, the reviewed audit organization\xe2\x80\x99s internal quality control system was\n      adequate and whether quality control policies and procedures were being\n      complied with to provide the audit organization with reasonable assurance of\n      conforming to applicable professional standards. Audit organizations should take\n      remedial, corrective actions based on the results of the peer review.\n\nWe conducted this review in accordance with standards and guidelines established in the\nDraft 2004 President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) \xe2\x80\x9cGuide for\nConducting External Peer Reviews of the Audit Operations of Offices of Inspector\nGeneral.\xe2\x80\x9d We modified the Guide to ensure consistency with the Naval Audit Service\nreview of non-SAP audits, and to reflect the unique nature of auditing within a SAP\nenvironment. We interviewed AFAA auditors and their managers, reviewed AFAA\ninternal audit-related policies and procedures. We performed this review in May 2005 at\nthree AFAA field offices\n\n      We used the following criteria to select the audits under review:\n\n      \xe2\x80\xa2 Worked backward starting with FY 2004 audits in order to review the most\n        current quality assurance procedures in place.\n      \xe2\x80\xa2 Eliminated Base Realignment and Closure audits because they are not\n        considered typical audits.\n      \xe2\x80\xa2 Avoided audits with multiple SAPs associated with the audit for ease of access.\n      \xe2\x80\xa2 Avoided audits that have the same or similar titles to ensure review of multiple\n        types of projects.\n\n\n\n                                                 3\n\x0cThe following table identifies the specific reports reviewed.\n\n    Report Number              Date                             Title\n F2004-0004-FA0900         26 Jan 2004     \xe2\x80\x9cCash Controls\xe2\x80\x9d\n\n F2004-0005-FA0900         4 Jun 2004      \xe2\x80\x9cFinancial and Contracting Management\xe2\x80\x9d\n\n F2004-0007-FA0900         16 Jul 2004     \xe2\x80\x9cSupport Agreements\xe2\x80\x9d\n\n\n\nLimitations of Review. Our review would not necessarily disclose all weaknesses in the\nsystem of quality control or all instances of noncompliance with it because we based our\nreview on selective tests. There are inherent limitations in considering the potential\neffectiveness of any quality control system. In performing most control procedures,\ndepartures can result from misunderstanding of instructions, mistakes of judgment,\ncarelessness, or other human factors. Projecting any evaluation of a quality control\nsystem into the future is subject to the risk that one or more procedures may become\ninadequate because conditions may change or the degree of compliance with procedures\nmay deteriorate.\n\n\n\n\n                                             4\n\x0cAppendix B. Comments, Observations, and\n            Recommendations\n\n       We are issuing an unqualified opinion because this is the first external peer review\nfor AFAA SAP audits and the issues we identified were not cumulatively significant to\nthe reports\xe2\x80\x99 findings, conclusions, and recommendations. Overall, we found that AFAA\ncould improve the quality control system and guidance for SAP audits related to the areas\nof Independence, Audit Planning, Supervision, Evidence and Audit Documentation,\nReporting, and Quality Assurance. Implementing the recommendations identified below\nwould improve the quality control system and help maintain an unqualified opinion.\n\nIndependence. GAS 3.03 states that audit organizations and individual auditors \xe2\x80\x9cshould\nbe free both in fact and appearance from personal, external, and organizational\nimpairments to independence.\xe2\x80\x9d AFAA Instruction (AFAAI) 65-103, \xe2\x80\x9cAudit\nManagement and Administration,\xe2\x80\x9d requires auditors to sign an Independence Statement\nat the beginning of each audit to \xe2\x80\x9ccertify there are no relationships and beliefs that might\ncause the auditor or supervisor to limit the extent of the inquiry, limit disclosure, or slant\naudit findings in any way.\xe2\x80\x9d\n\nWe found no indications of impairment during our review. However, there were no\nIndependence Statements for two of the three audits. The third audit had an\nIndependence Statement that had been backdated by the auditor, who used a version of\nthe AFAA Independence Statement that was not in effect until April 2004, after the date\nof his signature \xe2\x80\x93 August 2003.\n\nThe AFAA Chief, Special Programs Division stated that he had been unaware of the\nrequirement for project-specific Independence Statements until the fall of 2003. He\nrelied on annual Financial Disclosure Statements and the AFAA Annual Certification\nacknowledging the need to report any conflicts of interest to verify the auditors\xe2\x80\x99\nindependence. However, AFAA had the project-specific Independence Standard in place\nsince September 2002 and all three projects were initiated after this date. AFAA Policy,\nOversight, and Systems Division personnel stated to us that new policy is placed on the\nAFAA intranet homepage, and disseminated in an e-mail to all AFAA personnel.\n\n\n\n\n                                              5\n\x0cAudit Planning. GAS 7.02 states that \xe2\x80\x9cwork is to be adequately planned,\xe2\x80\x9d and\nGAS 7.07 states that \xe2\x80\x9cplanning should be documented.\xe2\x80\x9d GAS 7.41 requires auditors to\ndocument the planning, and states:\n\n       [T]he form and content of the written audit plan will vary among audits, but\n       should include an audit program or project plan, a memorandum, or other\n       appropriate documentation of key decisions about the audit objectives, scope, and\n       methodology and of the auditors\xe2\x80\x99 basis for those decisions. It should be updated,\n       as necessary, to reflect any significant changes to the plan made during the audit.\n\nAFAAI 65-101, \xe2\x80\x9cInternal Audit Procedures,\xe2\x80\x9d contains guidance on audit planning as well\nas a template \xe2\x80\x9caudit planning program\xe2\x80\x9d that all AFAA auditors are required to use during\naudits. AFAAI 65-101 states that audit managers should:\n\n       \xe2\x80\xa6continuously monitor auditor progress during the planning phase, provide\n       assistance as needed, and assure the auditor conducts the planning phase in\n       accordance with AFAA policies and procedures; and ensure the auditor uses the\n       Audit Planning Program and either completes each step or provides rationale for\n       not completing the step.\n\nWe found insufficient documentation related to audit planning in all three AFAA SAP\naudits we reviewed. For example, one of the audits did not have an audit program and\nanother did not have supervisory approval for audit steps that were either not completed\nduring the audit or were marked \xe2\x80\x9cN/A.\xe2\x80\x9d\n\nSupervision. GAS 7.45 requires staff to be properly supervised and GAS 7.47 states that\nsupervisory reviews of audit work should be documented. AFAAI 65-103 requires\nsupervisors to use an \xe2\x80\x9cAudit Review Record\xe2\x80\x9d to document the supervision and\nsupervisory reviews. According to AFAAI 65-103, the review record must include the\nsupervisor\xe2\x80\x99s initials and date, and the working papers must contain \xe2\x80\x9cclear evidence\xe2\x80\x9d of\nsupervisory review. We found that several working papers in each of the audits were\neither not reviewed in a timely manner or not reviewed at all by a supervisor. The AFAA\nChief, Special Programs Division stated that since the office locations are widely\nscattered across the U.S., he visits each office only three to four times per year. In two\naudits, this prevented him from being able to review the working papers until five months\nafter they were written. This is mitigated somewhat by the fact that all of the auditors at\nthe AFAA SAP field offices are senior auditors.\n\nWe recognize that the SAP audit environment presents challenges for complying with\nsome of the AFAA quality processes. However, supervision is a key government\nauditing standard and a key element of an effective quality program. Supervisors must\nfind ways to provide proper supervision even within such an environment.\n\n\n\n\n                                                   6\n\x0cEvidence and Audit Documentation. Working papers are used to organize, prepare,\nand collect relevant evidence and documentation during an audit. GAS 7.66 requires that\nauditors prepare and maintain audit documentation, and that the audit documentation\nshould contain support for findings, conclusions, and recommendations before auditors\nissue their report. GAS 7.68 states that the audit documentation forms the principal\nsupport for the auditors\xe2\x80\x99 report.\n\nAFAAI 65-103 requires auditors to document the work performed to support significant\nconclusions and judgments, including descriptions of transactions and records examined\nthat would enable an experienced auditor to examine the same transactions and records.\nAFAAI 65-103 provides the following guidelines for working papers (excerpt): \xe2\x80\x9cThe\nworking papers should be understandable without supplementary oral explanations.\nAnyone using or reviewing the working papers should be able to readily determine their\npurpose and source, the nature and scope of the work performed, and the auditor\xe2\x80\x99s\nconclusions.\xe2\x80\x9d\n\nAlthough we found AFAA SAP audit working papers contained sufficient, competent,\nand relevant evidence to support judgments and conclusions in the reports, improvements\ncould be made to audit documentation. We found that 6 of the 15 judgmentally selected\nfacts and figures we reviewed in one report, 10 of 15 in another report, and 1 of 15 in the\nthird report could have been better supported. Some of the deficiencies we noted during\nour review were:\n\n  \xe2\x80\xa2 Source documents were missing information about the provider of the source\n    documents, and in some cases it was impossible to determine whether a document\n    was auditor-generated or a source document.\n\n  \xe2\x80\xa2 Several figures in the report had no audit trail to source documents. We eventually\n    identified the source documents and verified the data based on our review of source\n    documents.\n\n  \xe2\x80\xa2 A figure in the report referenced back to a note written by the auditor that did not\n    include any source information. During our review, the auditor attributed the\n    statement to management, but there was no attribution on the note or in the report.\n    With such attribution a reviewer of the working papers or of the report can not\n    know if the management that provided the information was a reliable source.\n\n  \xe2\x80\xa2 Working papers, such as background information and briefing charts, were missing\n    the AFAA-required elements of purpose, source, and conclusion.\n\n\n\n\n                                             7\n\x0cReporting. GAS 8.45 states that \xe2\x80\x9c\xe2\x80\xa6 evidence included in audit reports should\ndemonstrate the correctness and reasonableness of the matters reported\xe2\x80\xa6\xe2\x80\x9d GAS provides\na best practice to help ensure this standard:\n\n      One way to help ensure the audit report is accurate is to use a quality control\n      process such as referencing\xe2\x80\xa6 in which an experienced auditor who is\n      independent of the audit verifies that statements of fact, figures, and dates are\n      correctly reported, that findings are adequately supported by the audit\n      documentation, and that the conclusions and recommendations flow logically\n      from the support.\n\nAFAAI 65-101 requires auditors to obtain an independent reference review (IRR) before\nthe draft report is issued to management. The guidance requires the independent\nreferencers to trace information in the cross-referenced draft report through the summary\nworking papers to the supporting working papers to determine that they are consistent\nwith and supported by the working papers and to \xe2\x80\x9cbe alert to statements in the report\nwhich seem illogical or lack clarity, ensure the team chief has reviewed all supporting\nworking papers and cleared any review notes, and refuse to sign the IRR record until the\nteam chief has finished reviewing and signed off on the working papers.\xe2\x80\x9d\n\nWe found that the three AFAA SAP audit reports generally met the GAS reporting\nstandards. However, none of the SAP reports we reviewed complied with the AFAA\nrequirements for IRRs. None of the three reports received an IRR before the draft report\nwas issued to management, and two of the three reports received no IRR. The AFAA\nChief, Special Programs Division stated that he was unable to conduct IRRs before the\ndraft reports were issued due to a lack of resources within the SAP environment, and that\nhe relied on the experience of the auditors to ensure the quality of the audits.\nWe found that the one completed IRR was not adequately documented; specifically, the\nreferencer\xe2\x80\x99s signature on the IRR document was not dated so we were not able to\nascertain whether the IRR was completed before the draft report was issued. Also, the\nreferencer did not indicate any concerns during the IRR; however, we found\ndiscrepancies with the references, such as a figure cited in the report as representing\nfourth quarter data that was documented in the working papers as representing the first,\nsecond, and third quarters only.\n\nWe found misleading or unsupported information in the final reports of the two audits\nthat did not have IRRs. Although none of these inaccuracies affected the overall\nconclusions of the reports, they demonstrate instances that an IRR might have alerted the\nauditors to before the reports were issued to management. Specifically, we found:\n\n  \xe2\x80\xa2 A figure cited in the report as \xe2\x80\x9ca contract was established in April 2000 for $421.0\n    million\xe2\x80\x9d; however, $421.0 million was the amount of the contract after several\n    contract modifications; the amount of the contract at the date of establishment was\n    $402.0 million.\n\n\n                                                 8\n\x0c  \xe2\x80\xa2 A figure cited in the report as $330,000 was documented in the working papers as\n    $300,000.\n\n  \xe2\x80\xa2 A figure cited in the report as 52 percent was documented in the working papers as\n    53 percent.\n\nOver time if errors continue to be found in reports, the report recipients may begin to\nquestion significant conclusions of the reports. AFAAI 65-101 does not exclude the IRR\nfrom the SAP audits and does not define circumstances in which an IRR need not be\ndone.\n\nQuality Assurance. GAS 3.50 requires than an audit organizations internal quality\ncontrol system should include procedures for monitoring, on an ongoing basis, whether\nthe policies and procedures related to the standards are suitably designed and are being\neffectively applied. This is often referred to as an internal quality assurance program.\n\nAFAAI 65-105, \xe2\x80\x9cInternal Quality Control Review Program,\xe2\x80\x9d provides guidance on the\nAFAA internal quality control program, and notes that it consists of four components:\nsupervision, independent referencing, internal quality control reviews, and external\nquality control reviews. AFAA conducts three types of internal reviews: functional,\nmanagement, and quality assurance. Quality assurance reviews evaluate whether AFAA\nactivities adhere to applicable government auditing standards and internal policies and\nprocedures for conducting audit projects. The AFAA internal quality control review\nprogram uses a team approach to accomplish this type review and a checklist based on\nGAS and AFAA policies and procedures. The AFAA Policy, Oversight, and Systems\nDivision develops an annual review plan that describes the functional, management, and\nquality assurance reviews planned for the next year. The AFAA Policy, Oversight, and\nSystems Division also prepares a 3-year review plan for quality assurance reviews which\nensures each AFAA audit division/region receives a quality assurance review at least\nonce during the 3-year cycle.\n\nAFAAI 65-105 does not exempt or waive SAP audits. However, AFAA personnel\ninvolved with the internal quality control review program stated that they do not conduct\nquality assurance reviews of SAP audits. AFAA has not conducted a quality assurance\nreview of a SAP audit in at least 10 years, specifically due to the limitations on access\nbecause of security requirements.\n\nConclusion. SAP audits seldom get the monitoring or oversight of non-SAP audits\nbecause of the security requirements. AFAA guidance on the quality control system does\nnot specifically address SAP audits. The AFAA Chief, Special Program Division has\nstated that he is unable to fully implement key elements of the AFAA quality control\n\n\n\n\n                                            9\n\x0csystem because of security-related limitations. We recognize the challenges that result\nfrom these limitations; however, AFAA needs to re-emphasize the importance of\ncomplying with the key elements of the quality control system.\n\nAlthough we did not find that any of the deficiencies we noted would individually or\ncollectively justify an opinion other than unqualified, AFAA needs to ensure on an\nongoing basis that their internal quality control system within the SAP environment taken\nas a whole still provides reasonable assurance that GAS is met.\n\n      Recommendations. We recommend that the Air Force Auditor General:\n\n      1. Stress to SAP auditors the importance of complying with existing guidance and\n         procedures related to independence, specifically in completing independence\n         statements.\n\n          Management Comments. The AFAA concurred in principle with the\n          recommendation and stated that while they agree improvements were needed\n          to document their independence on each project, the AFAA does not believe\n          recommending a specific software package was inappropriate. The AFAA\n          stated that the audit evaluated various processes used at several locations and\n          recommended streamlining and improving the entire operation. At the\n          Command-level, the newly developed software package allowed the auditor to\n          easily reconcile total cash accountability. However, reconciliation was\n          difficult and labor intensive at subordinate units because the tracking systems\n          were not as effective. As a result, the AFAA report stated that the units used\n          different procedures and recommended the Command direct use of the\n          Command-level software package. While working paper documentation could\n          have been better, the AFAA stated that they complied with GAS 3.14 and had\n          sufficient evidence to justify recommending the Command-level system. The\n          Special Programs Division Chief will issue a memorandum by\n          September 30, 2005, to all SAP auditors stressing the importance of complying\n          with guidance related to independence, including preparing independence\n          statements and providing advice to management.\n\n          Reviewer Response. Management comments meet the intent of the\n          recommendation. We revised the report including this recommendation based\n          on comments to the draft report related to circumstances in which the auditor\n          provided advice to the command. No further comments are required.\n\n\n\n\n                                           10\n\x0c2. Ensure that the SAP auditors and supervisors are timely made aware of\n   changes in policies, practices and guidance.\n\n   Management Comments. The AFAA concurred with the recommendation\n   and stated that the Special Programs Division Chief will issue a memorandum\n   by September 30, 2005, directing all SAP auditors to periodically review the\n   AFAA web site to identify changes in policies, practices, and guidance.\n\n   Reviewer Response. Management comments are responsive.\n\n3. Re-emphasize to SAP auditors and supervisors the importance of complying\n   with the key elements of the AFAA quality control system, specifically related\n   to audit planning, supervisory reviews, and independent reference reviews.\n\n   Management Comments. The AFAA concurred with the recommendation\n   and stated that for audit planning the Special Programs Division Chief will\n   issue a memorandum by September 30, 2005, to all SAP auditors emphasizing\n   the importance of complying with planning guidance contained in\n   AFAAI 65-101. Regarding supervision, the AFAA stated that the Special\n   Programs Division Chief will make working paper reviews a higher priority\n   and will delegate supervisory responsibilities to a GS-14 for some projects. In\n   addition, the Division Chief will issue a memorandum by September 30, 2005,\n   to all SAP auditors directing them to submit periodic project status reports and\n   document project related telephone conversations with the Division Chief.\n   For independent referencing, although very important, the AFAA stated that\n   performing independent referencing on every Special Programs Division\n   project may not be practical for reasons such as security considerations and\n   most locations have only one auditor and temporary duty travel may not be\n   cost-effective. However, the AFAA will revise guidance by\n   September 30, 2005, to give the Division Chief the flexibility to decide which\n   projects warrant independent referencing depending on project complexity,\n   working paper location, and security classification. If the Division Chief\n   decides independent referencing is not warranted, a memorandum for record\n   supporting the decision will be required. Also, independent referencing on all\n   projects at locations with more than one auditor will be required.\n\n   Reviewer Response. Management comments meet the intent of\n   recommendation.\n\n\n\n\n                                    11\n\x0c4. Establish as part of its internal quality control review program, internal quality\n   assurance reviews of selected SAP audits in order to comply with GAS 3.50.\n\n   Management Comments. The AFAA concurred in principle with the intent\n   of the recommendation and stated while they agree including SAP audits in\n   quality assurance reviews would add quality control, potential benefits must be\n   weighed against security implications. As an alternative, the Division Chief\n   will have senior personnel perform complete reviews of selected projects using\n   AFAA quality assurance review checklists and report results to the Division\n   Chief and Auditor General.\n\n   Reviewer Response. Management comments meet the intent of\n   recommendation. We recognize that the SAP audits could not necessarily be\n   treated the same as non-SAP audits in the internal quality assurance program.\n   The AFAA alternative procedures meet the intent of GAS for on-going\n   monitoring.\n\n\n\n\n                                      12\n\x0cAppendix C. Management Comments\n\n\n\n\n                   13\n\x0cFinal Report\n Reference\n\n\n\n\nRevised at\npg. 11\n\n\n\n\nRevised\nReport at\npg. 6\n\n\n\n\n               14\n\x0c15\n\x0c'